Page 1 of 3 123 LastLast
Results 1 to 15 of 32

Thread: EXECryptor (Latest version) dump fixing

  1. #1
    rockdh
    Guest

    EXECryptor (Latest version) dump fixing

    How can i fix the dump of EXECryptor latest?
    I think i reached the OEP as the dump i have here can be edited easily (like title and stuff).
    But it does not run since i need to fix it.
    I tried ImpRec and execryptor plugin but the imports are still invalid.

    What do i do?
    If you need the dumped program, please let me know.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  2. #2
    Did you trace the dump to see where it is crashing? Did you check to see if they messed with the header? What did YOU do to try to solve your problem, and required by our Rules?

    Post some code, with all identifying information about the target removed, as also required by our Rules, and someone might be able to confirm if you found the OEP. If you want to talk about the target with others who respond here, DO IN PM.

    Regards,
    JMI

  3. #3
    rockdh
    Guest
    Here is some code

    Code:
    7C935FBA   75 07            JNZ SHORT 7C935FC3
    7C935FBC   66:837D D8 00    CMP WORD PTR SS:[EBP-28],0
    7C935FC1   75 3E            JNZ SHORT 7C936001
    7C935FC3   8D45 DC          LEA EAX,DWORD PTR SS:[EBP-24]
    7C935FC6   8985 ACFEFFFF    MOV DWORD PTR SS:[EBP-154],EAX
    7C935FCC   F645 E3 80       TEST BYTE PTR SS:[EBP-1D],80
    
    USELESS CODE DELETED TO SAVE SPACE IN THE DATABASE
    
    7C93636C   4E               DEC ESI
    7C93636D   54               PUSH ESP
    7C93636E   286E 74          SUB BYTE PTR DS:[ESI+74],CH
    7C936371   64:6C            INS BYTE PTR ES:[EDI],DX                 ; I/O command
    7C936373   6C               INS BYTE PTR ES:[EDI],DX                 ; I/O command
    7C936374   293A             SUB DWORD PTR DS:[EDX],EDI
    What do i do next?
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  4. #4
    disassembly of ntdll.dll isn't useful

  5. #5
    reknihT esreveR SiGiNT's Avatar
    Join Date
    Sep 2004
    Location
    Wherever I am
    Posts
    750
    Damn, deroko,

    You beat my post by about 10 seconds - a word of advice to our mutual friend trying to unpack Execryptor - if you don't know the difference between your target and a system dll I'd aim my sites a little lower and work up to Execryptor.

    SiGiNT
    Unemployed old fart Geek - Self Employed Annoyance
    Team: Noobisco Crackers
    If someone can't do it for you, you'll never learn!

  6. #6
    Quote Originally Posted by sigint33
    if you don't know the difference between your target and a system dll I'd aim my sites a little lower and work up to Execryptor.
    LOL. As in going back to basic windows system architecture

  7. #7
    There! I shortened up the eyesore a bit, by putting it inside CODE brackets instead of QUOTE brackets

    Regards,
    JMI

  8. #8
    rockdh
    Guest
    Code:
    7C93616A   85C0             TEST EAX,EAX
    7C93616C   0F84 9F460000    JE 7C93A811
    7C936172   66:834F 38 FF    OR WORD PTR DS:[EDI+38],0FFFF
    7C936177   66:834F 3A FF    OR WORD PTR DS:[EDI+3A],0FFFF
    7C93617C   8B75 F4          MOV ESI,DWORD PTR SS:[EBP-C]
    
    MORE USELESS CODE DELETED TO SAVE SPACE IN THE DATABASE
    
    7C936209   74 6C            JE SHORT 7C936277
    7C93620B   70 53            JO SHORT 7C936260
    7C93620D   65:72 69         JB SHORT 7C936279                        ; Superfluous prefix
    7C936210   61               POPAD
    7C936211   6C               INS BYTE PTR ES:[EDI],DX                 ; I/O command
    sorry i didnt even notice that i was in NT-DLL.
    the og file is 14.5 MB and my dump is 40.5MB.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  9. #9
    rockdh:

    STOP POSTING LARGE BLOCKS OF CODE YOU HAVE "NO CLUE" WHAT THEY ARE!!!!!"

    Also when you post code you should use Code and /CODE, with the words surrounded by [ ], instead of QUOTE /QUOTE surrounded by brackets.

    Regards,
    JMI

  10. #10
    Teach, Not Flame Kayaker's Avatar
    Join Date
    Oct 2000
    Posts
    4,143
    Blog Entries
    5
    Er, what are you using for a disassembler, Win32Dasm? Do yourself a favor and at least learn to use IDA freeware version so you don't make erroneous guesses at instruction comments..

    This disassembly is wrong:
    Code:
    7C9361E5   68 0862937C      PUSH 7C936208        ; ASCII "RtlpSerializeHeap"
    ...
    7C936204   C2 0400          RETN 4
    7C936207   90               NOP
    
    this is ascii, not instructions
    
    7C936208   52               PUSH EDX
    7C936209   74 6C            JE SHORT 7C936277
    7C93620B   70 53            JO SHORT 7C936260
    7C93620D   65:72 69         JB SHORT 7C936279          ; Superfluous prefix
    7C936210   61               POPAD
    7C936211   6C               INS BYTE PTR ES:[EDI],DX   ; I/O command
    This is *supposed* to disassemble to:
    Code:
    :7C9361E5 68 08 62 93 7C    push    offset aRtlpserializeh ; "RtlpSerializeHeap"
    ...
    :7C936204 C2 04 00          retn    4
    :7C936204                   sub_7C9361D2    endp
    
    :7C936207 90                                align 4
    :7C936208 52 74 6C 70 53 65+aRtlpserializeh db 'RtlpSerializeHeap',0

  11. #11
    Hi Kayaker. Actually, my glasses weren't dirty. The Board froze on me for a moment and I could not get the Edit Button to work, so I hit Back on my browser to try to fix a spelling error. When I saved it again, it only showed me one copy of the Post, rather than the double Post.

    Thanks for "cleaning up" for me.

    Regards,
    JMI

  12. #12
    Quote Originally Posted by rockdh
    [CODE]
    sorry i didnt even notice that i was in NT-DLL.
    You are still in ntdll on xp when you see base 7c9xxxxx or 7c8xxxxx you know already that you are in ntdll or kernel32.

  13. #13
    reknihT esreveR SiGiNT's Avatar
    Join Date
    Sep 2004
    Location
    Wherever I am
    Posts
    750
    Actually if you see 8 digit addresses you are not in your target, you're in a system file of some sort, (or an associated dll, ocx or other file), just glance up to the top of your cpu window in olly, it'll tell you what you are in, if it says "main" you're in memory, (unpacked running code), you usually should be in the address range of 4XXXXX - 8XXXXX.

    SiGiNT
    Last edited by SiGiNT; July 9th, 2006 at 10:23.
    Unemployed old fart Geek - Self Employed Annoyance
    Team: Noobisco Crackers
    If someone can't do it for you, you'll never learn!

  14. #14
    rockdh
    Guest
    i think this code should do (it is from the entry point)

    Code:
    8nuz96wg:02BFB7C1
    _8nuz96wg:02BFB7C1
    _8nuz96wg:02BFB7C1                 public start
    _8nuz96wg:02BFB7C1 start           proc near
    _8nuz96wg:02BFB7C1                 push    ebp
    _8nuz96wg:02BFB7C2                 pop     ebx
    _8nuz96wg:02BFB7C3                 rol     eax, 18h
    _8nuz96wg:02BFB7C6                 and     [ecx+2Fh], cl
    _8nuz96wg:02BFB7C9                 add     [ebx], edx
    _8nuz96wg:02BFB7CB                 adc     bh, ds:0A10CB81h
    _8nuz96wg:02BFB7D1                 inc     ecx
    _8nuz96wg:02BFB7D2                 mov     ebx, 3D2AF381h
    _8nuz96wg:02BFB7D7                 sbb     ds:4468C31Bh[ebx*4], bl
    _8nuz96wg:02BFB7DE                 sbb     eax, [ecx+ecx*8+0F11CC15h]
    _8nuz96wg:02BFB7E5                 test    [edi-53h], esp
    _8nuz96wg:02BFB7E8                 and     ecx, 816F2D1Dh
    _8nuz96wg:02BFB7EE                 into
    _8nuz96wg:02BFB7EF                 mov     ebp, 81FA1AE0h
    _8nuz96wg:02BFB7F4                 jmp     far ptr 0B120h:8CDAB722h
    _8nuz96wg:02BFB7F4 start           endp
    _8nuz96wg:02BFB7F4
    _8nuz96wg:02BFB7F4 ; ---------------------------------------------------------------------------
    please let me know whether it is unpacked
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  15. #15
    Naides is Nobody
    Join Date
    Jan 2002
    Location
    Planet Earth
    Posts
    1,647
    Cannot tell for sure if it is unpacked,
    but look at the code itself, the instructions, aimless and illogical.

    Chances are it is still packed and you just disassembled a random string of bytes, or heavily obfuscated code,

    OR less likely,

    It is unpacked, but the original code was itself heavily obfuscated.
    Last edited by naides; July 10th, 2006 at 08:06.

Similar Threads

  1. fixing IAT Armadillo 3.78
    By NoLOcK´s in forum The Newbie Forum
    Replies: 1
    Last Post: August 9th, 2005, 15:48
  2. EXECryptor
    By omega_red in forum Advanced Reversing and Programming
    Replies: 0
    Last Post: September 22nd, 2004, 04:16
  3. problem fixing imports
    By jolopez in forum Malware Analysis and Unpacking Forum
    Replies: 2
    Last Post: February 17th, 2004, 09:23
  4. Replies: 0
    Last Post: June 4th, 2001, 11:31
  5. can't crack newer version using older version tuts.
    By bas in forum Malware Analysis and Unpacking Forum
    Replies: 2
    Last Post: February 12th, 2001, 21:40

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •